System and method of resolving discrepancies between diverse firewall designs

ABSTRACT

A system, computer-implementable method, and computer-usable medium for resolving discrepancies between diverse firewall designs. In a preferred embodiment of the present invention, a firewall design manager receives at least two designs for a rule-based system and computing at least one functional discrepancy between the at least two designs utilizing decision diagrams.

PRIORITY CLAIM

The application claims the benefit of priority under 35 U.S.C. §119(e) from U.S. Provisional Application No. 60/690,594, filed on Jun. 15, 2005, which disclosure is incorporated herein by reference.

BACKGROUND OF THE INVENTION

1. Technical Field

The present invention relates to the field of data processing systems. More particularly, the present invention relates to the field of securing data processing systems. Still more particularly, the present invention relates to a system and method of designing firewalls to secure data processing systems

2. Description of the Related Art

A firewall is a hardware and/or software network element interposed between a private network and an external network (e.g., Internet) to enforce a desired security policy on all incoming and outgoing packets. A packet can be viewed as a tuple with a finite number of fields; examples of these fields are source/destination IP address, source/destination port number, and protocol type. A firewall configuration defines which packets are legitimate and which are illegitimate. By examining the values of these fields for each incoming and outgoing packet, a firewall differentiates between legitimate and illegitimate packets, accepting legitimate packets and discarding illegitimate packets according to its configuration.

An error in a firewall configuration means that a wrong definition of legitimate or illegitimate has been established for at least some packets, which will either allow unauthorized access from the outside Internet to the private network or disable some legitimate communication between the private network and the outside Internet. Neither error case is desirable. Design of a firewall configuration is therefore and important network security and operability issue.

SUMMARY OF THE INVENTION

The present invention includes a system, computer-implementable method, and computer-usable medium for resolving discrepancies between diverse firewall designs. In a preferred embodiment of the present invention, a firewall design manager receives at least two designs for a rule-based system and computing at least one functional discrepancy between the at least two designs utilizing decision diagrams.

The above-mentioned features, as well as additional objectives, features, and advantages of the present invention will become apparent in the following detailed written description.

BRIEF DESCRIPTION OF THE DRAWINGS

The novel features believed characteristic of the invention are set forth in the appended claims. The invention itself, however, as well as a preferred mode of use, further objects and advantages thereof, will best be understood by reference to the following detailed description of an illustrative embodiment when read in conjunction with the accompanying drawings, wherein:

FIG. 1A illustrates an exemplary firewall in which a preferred embodiment of the present invention may be implemented;

FIG. 1B is a block diagram depicting an exemplary data processing system in which a preferred embodiment of the present invention may be implemented;

FIG. 2 illustrates an exemplary firewall in the form of a firewall decision diagram according to a preferred embodiment of the present invention;

FIG. 3 depicts a second exemplary firewall in the form of a collection of firewall rules according to a preferred embodiment of the present invention;

FIG. 4 is a tree diagram illustrating an exemplary method of appending a rule to a partial firewall according to a preferred embodiment of the present invention;

FIG. 5 depicts a firewall decision diagram constructed from the firewall rules illustrated in FIG. 3, according to a preferred embodiment of the present invention;

FIG. 6 illustrates a pair of shapeable nodes in two firewall decision diagrams according to a preferred embodiment of the present invention;

FIG. 7 depicts a pair of semi-isomorphic nodes according to a preferred embodiment of the present invention;

FIG. 8 illustrates a firewall decision diagram transformed from the firewall decision diagram depicted in FIG. 2, according to a preferred embodiment of the present invention;

FIG. 9A is a high-level logical flowchart diagram depicting an exemplary method of diverse firewall design according to a preferred embodiment of the present invention; and

FIG. 9B is a more detailed high-level logical flowchart diagram illustrating an exemplary method of comparing functional discrepancies among at least two firewall designs according to a preferred embodiment of the present invention.

DETAILED DESCRIPTION OF A PREFERRED EMBODIMENT

With reference now to the figures, and in particular, with reference to FIG. 1A, there is depicted a block diagram illustrating an exemplary network 100 in which a preferred embodiment of the present invention may be implemented. As illustrated, network 100 includes Internet 102, which is coupled to private network 110 via firewall 104. Internet 102 is an interconnected system of networks that connects computers around the world via the transmission control protocol/internet protocol (TCP/IP) protocol suite. Firewall 104 provides secure access to and from private network 110. Particularly, any packet that attempts to enter or leave private network 110 is first examined by firewall 104 and, depending on the settings of the different fields in the packet, firewall 104 determines whether to transmit or discard the packet.

In the depicted embodiment, private network 110 includes a mail server 106 and at least one host 108. If firewall 104 decides to accept an incoming packet, the packet is routed by firewall 104 or an associated router to either mail server 106 or host(s) 108 depending on the setting of the fields in the packet.

FIG. 1B is a block diagram depicting an exemplary data processing system 148 in which a preferred embodiment of the present invention may be implemented. Those with skill in the art will appreciate that firewall 104, mail server 106, or host(s) 108 may be implemented with a data processing system 148. Also, those with skill in the art will appreciate that the present invention is not limited to the representation of data processing system 148 illustrated in FIG. 1B, but may include any type of single or multi-processor data processing system.

As illustrated, data processing system 148 includes processing unit 150, data storage 154, and user interface 156 which are all coupled by interconnect 152. Data storage 154 may be implemented by any type of volatile or non-volatile memory such as read-only memory (ROM), random-access memory (RAM), any type of flash memory, optical memory, and magnetic storage. Also, as depicted, data storage 154 includes firewall design manager 160, which provides to a user a graphical user interface for developing firewalls, discussed herein in more detail.

A firewall is usually defined by a sequence of rules, which may overlap and conflict with each other. Two rules overlap if and only if there is at least one packet that matches both rules. Two rules conflict if and only if the two rules overlap and also have different decisions. The conflicts among rules make firewall design difficult and error prone. Examining each conflict is helpful in reducing errors; however, the number of conflicts in a firewall is usually large, and the manual checking of each conflict or anomaly is unreliable because the meaning of each rule depends on the current order of the rules in the firewall, which may be incorrect. High-level languages for describing firewall rules are helpful in firewall design; however, high-level languages do not address conflicts.

Some firewall rule analysis tools exist for designers to analyze the effects of existing firewall rules. The analysis provided by such tools answers queries from users. These tools are helpful in analyzing some suspicious behaviors of a firewall; however, ad-hoc user queries are not guaranteed to cover all possible situations that the firewall may encounter during operation.

Other tools are currently available for network vulnerability testing. These vulnerability testing tools scan a private network based on the current publicly known attacks, rather than the requirement specification of a firewall. Although vulnerability testing tools can possibly catch errors that allow illegitimate access to the private network, they cannot find the errors that disable legitimate communication between the private network and the outside Internet.

Firewall Design Methods

A “packet” is defined over the fields F₁ . . . , F_(d) as a d-tuple (p₁ . . . , P_(d)) where each p_(i) is an element in the domain D(F_(i)) of field F_(i), and each D(F_(i)) is an interval of nonnegative integers. For example, one of the fields of an IP packet is the source address, and the domain of this field is [0,2³²). For the brevity of presentation, we assume that all packets are over the d fields F₁ . . . , F_(d), and we use Σ to denote the set of all packets. It follows that Σ is a finite set of size |D(F₁)|x . . . x|D(F_(n))|.

Firewall

A “firewall” consists of a sequence of rules, where each rule is of the following format: (F₁ ∈ S₁)

. . .

(F_(d) ∈ S_(d))→<decision> where each S_(i) is a nonempty subset of D(F_(i)), and the <decision> is either accept or discard. If S_(i)=D(F_(i)), we can replace (F_(i) ∈ S_(i)) by (F_(i) ∈ all), or remove the conjunct (F_(i) ∈ D(F_(i))) altogether. A packet (p₁ . . . , p_(d)) matches a rule (F₁ ∈ S₁) Λ . . . Λ (F_(d) ∈ S_(d))→<decision> if and only if the condition (p₁ ∈ S₁)

. . .

(p_(d) ∈ S_(d)) holds. Since a packet may match more than one rule in a firewall, each packet is mapped to the decision of the first rule that the packet matches. The predicate of the last rule in a firewall is usually a tautology to ensure that every packet has at least one matching rule in the firewall. Firewall Function

A “firewall function” is a many-to-one mapping: Σ→{accept, discard}. This function can be defined by a sequence of rules or by a firewall decision diagram. Two firewalls are equivalent if and only if they implement the same firewall function.

Firewall Decision Diagram

A “Firewall Decision Diagram” (FDD) f over fields F₁ . . . , F_(d), is an acyclic and directed graph that has the following five properties:

-   1. There is exactly one node in f that has no incoming edges. This     node is called the root of f. The nodes in f that have no outgoing     edges are called terminal nodes of f. -   2. Each node v in f has a label, denoted F(v), such that F(ν) ∈

{F₁, . . . , F_(d)} if v is a nonterminal node; and

F(ν) ∈ {accept, discard} if v is a terminal node.

-   3. Each edge e in f has a label, denoted I(e), such that if e is an     outgoing edge of node v, then

I(e) ⊂ D(F(ν)).

-   4. A directed path in f from the root to a terminal node is called a     decision path of f. No two nodes on a decision path have the same     label. -   5. The set of all outgoing edges of a node v in f, denoted E(v),     satisfies the following two conditions:

(a) Consistency: I(e) ∩ I(e′)=Ø for any two distinct edges e and e′ in E(v),

(b) Completeness:

_(e∈E(ν))I(e)=D(F(ν))

A decision path in an FDD f is represented by (v₁e₁ . . . v_(k)e_(k)v_(k+1)) where v₁ is the root, v_(k+1) is a terminal node, and each e_(i) is a directed edge from node v_(i) to node v_(i+1). A decision path (v₁e₁ . . . v_(k)e_(k)v_(k+1)) in an FDD defines the following rule: F₁ ∈ S₁

. . .

F_(n) ∈ S_(n)→F(v_(k+1)) where S_(i)=I(e_(j)) if there is a node v_(j) in the decision path that is labeled with field F_(i); and S_(i)=D(F_(i)) if no nodes in the decision path is labeled with F_(i).

For an FDD f, S_(f) denotes the set of all the rules defined by all the decision paths of f. For any packet p, there is one and only one rule in S_(f) that p matches because of the consistency and completeness properties; therefore, f maps p to the decision of the only rule that p matches.

Given an FDD f, any sequence of rules that consists of all the rules in S_(f) is equivalent to f. The order of the rules in such a firewall is immaterial because the rules in S_(f) are non-overlapping.

The construction of an equivalent FDD for a given sequence of rules is discussed herein in more detail.

Exemplary Firewalls

Consider again the simple network 100 illustrated in FIG. 1A. Network 100 has a gateway router 104 with two interfaces: interface 0, which connects gateway router 104 to the outside Internet, and interface 1, which connects gateway router 104 to private network 110. The firewall for this local network resides in gateway router 104. An exemplary requirement specification for this firewall may be expressed as follows:

The mail server with IP address 192.1.2.3 can receive emails. The packets from an outside malicious domain 192.168.0.0/16 should be blocked. Other packets should be accepted and allowed to proceed.

Suppose this requirement specification is given to two design teams: Team A and Team B. Team A designs a firewall 200 expressed as FDD 200 depicted in FIG. 2, and Team B designs a firewall 300 expressed as a sequence of rules illustrated in FIG. 3. In these figures, the following symbols are utilized by: a (Accept), d (Discard), I (Interface), S (Source IP), D (Destination IP), N (Destination Port), P (Protocol Type). The symbols α, β, γ respectively denote the integer formed by the four bytes of the IP addresses 192.168.0.0, 192.168.255.255, and 192.1.2.3. For simplicity, the protocol type value in a packet is either 0 (TCP) or 1 (UDP), and each packet has a field containing the information of the network interface on which that packet arrived.

Given these two firewalls, one in FIG. 2 and the other in FIG. 3, the following three steps are utilized to discover all the discrepancies between them: (1) construct an equivalent ordered FDD 500 (in FIG. 5) from the sequence of rules in FIG. 3 by the construction algorithm; (2) transform the two ordered FDDs, one in FIG. 2 and the other in FIG. 5, to two semi-isomorphic FDDs (e.g., semi-isomorphic FDD 800 as illustrated in FIG. 8) by the shaping algorithm, discussed hereinafter in more detail; and (3) discover all the discrepancies between the two semi-isomorphic FDDs by the comparison algorithm, also discussed hereinafter in more detail.

Construction Algorithm

The construction algorithm constructs an equivalent FDD from a sequence of rules <r₁, . . . , r_(n)> where each rule is of the format (F₁ ∈ S₁)

. . .

(F_(d) ∈ S_(d))→decision>. Note that all the d packet fields appear in the predicate of each rule, and they appear in the same order.

First, a partial FDD is constructed from the first rule. A “partial FDD” is a diagram that has all the properties of an FDD, except the completeness property. The partial FDD constructed from a single rule contains only the decision path that defines the rule. Suppose from the first i rules, r₁ through r_(i), a partial FDD is constructed, whose root v is labeled F₁, and suppose v has k outgoing edges e_(i), . . . , e_(k). Let r₁₊₁ be the rule (F₁ ∈ S₁)

. . .

(F_(d) ∈ S_(d))→<decision>. Next, rule r₁₊₁ is appended to this partial FDD.

To add rule r_(i+1), a determination is made whether another outgoing edge is to be added to v. If S₁−(I(e_(i)) ∪ . . . ∪I(e_(k)))≠Ø, a new outgoing edge with label S₁−(I(e_(i))∪ . . . ∪I(e_(k))) is added to v because any packet whose F₁ field is an element of S₁−(I(e_(i)) ∪ . . . ∪I(e_(k))) does not match any of the first i rules, but matches r₁₊₁ provided that the packet satisfies (F₂ ∈ S₂)

. . .

(F_(d) ∈ S_(d)). Then, a decision path from (F₂ ∈ S₂)

. . .

(F_(d) ∈ S_(d)))→<decision> is constructed, and the new edge from node v to the first node of this decision path is also added.

Next, S₁ and I(e_(j)) are compared for each j where 1≦j≦k. This comparison leads to one of the following three cases:

-   1. S₁ ∩ I(e_(j))=Ø: In this case, edge e_(j) is skipped because any     packet whose value of field F₁ is in set I(e_(j)) doesn't match     r_(i+1). -   2. S₁ ∩ I(e_(j))=I(e_(j)): In this case, for a packet whose value of     field F₁ is in set I(e_(j)), it may match one of the first i rules,     and it also may match rule r_(i+1). So, the rule (F₂ ∈ S₂)     . . .     (F_(d) ∈ S_(d)))→<decision> is appended to the subgraph rooted at     the node to which e_(j) points. -   3. S₁ ∩ I(e_(j))≠Ø and S₁ ∩ I(e_(j))≠I(e_(j)): In this case, edge e     is split into two edges: e′ with label I(e_(j))−S₁ and e″ with label     I(e_(j)) ∩ S₁. Then, two copies of the subgraph rooted at the node     that e_(j) points to are made, and let e′ and e″ point to one copy     each. Further, e′ is dealt with by the first case, and e″ by the     second case.

The foregoing construction algorithm may be expressed in the following pseudocode: In the pseudocode, e.t denotes the (target) node to which the edge e points. Construction Algorithm Input : A firewall f of a sequence of rules <r₁,...,r_(n)> Output : An FDD f′ such that f and f′ are equivalent Steps: 1. build a decision path with root v from rule r₁; 2. for i :=2 to n do APPEND(v, r_(i)); End APPEND (ν,F_(m) ∈ S_(m))

...

(F_(d) ∈ S_(d)) → <decision>) /* F(ν) = F_(m) and E(ν) = {e₁,...e_(k) }*/ 1.  if ( S_(m) − (I(e₁) ∪ ... ∪ I(e_(k)))) ≠ Ø then     (a) add an outgoing edge e_(k+1) with label S_(m) − (I(e₁) ∪ ... ∪     I(e_(k))) to v;     (b) build a decision path from rule     (F_(m+1) ∈ S_(m+1))

...

(F_(d) ∈ S_(d)) → <decision>,     and make e_(k+1) point to the first node in this path; 2.  if m<d then     for j :=1 to k do        if I(e_(j))

S_(m) then           APPEND(e_(j).t, (F_(m+1) ∈ S_(m+1))

...

(F_(d) ∈ S_(d))           → <decision>);        else if I(e_(j)) ∩ S_(m) ≠ Ø then           (a) add one outgoing edge e to v, and label e with           I(e_(j)) ∩ S_(m) ;     (b) make a copy of the subgraph rooted at e_(j).t, and make e     points to the root of the copy;     (c) replace the label of e_(j) by I(e_(j)) − S_(m);     (d) APPEND( e.t,  (F_(m+1) ∈ S_(m+1))

...

(F_(d) ∈ S_(d))           → <decision>);

As an example, consider the sequence of rules in FIG. 5. FIG. 6 illustrates the partial FDD that constructed from the first rule, and the partial FDD after appending the second rule. The FDD after appending the third rule is shown in FIG. 7.

Shaping Algorithm

The shaping algorithm is utilized to transform two ordered, but not semi-isomorphic FDDs f_(a) and f_(b) into two semi-isomorphic FDDs f′_(a) and f′_(b) such that f_(a) is equivalent to f′_(a), and f_(b) is equivalent to f′_(b). If < denotes the total order over the packet fields F₁, . . . , F_(d) where F₁< . . . <F_(d) holds, an FDD is ordered if and only if for each decision path (v₁e₁ . . . v_(k)e_(k)v_(k+1)), the condition F(v₁)< . . . <F(v_(k)) holds.

From this definition, the FDDs constructed by the construction algorithm are ordered. Therefore, if a firewall f designed by a team is a non-ordered FDD f, a sequence of rules that consists of all the rules in S_(f), where S_(f) is the set of all the rules defined by the decision paths of f, is first generated; second, an equivalent ordered FDD f′ is constructed from the sequence of rules. Then, f′, instead of f, is compared with other firewalls for discrepancies, if any.

Informally, two FDDs are semi-isomorphic if their graphs are isomorphic, the labels of their corresponding nonterminal nodes match, and the labels of their corresponding edges match. In other words, only the labels of their terminal nodes may differ. Formally, two FDDs f and f′ are defined to be semi-isomorphic if and only if there exists a one-to-one mapping σ from the nodes of f onto the nodes of f′, such that the following two conditions hold:

-   1. For any node v in f, either both v and σ(v) are nonterminal nodes     with the same label, or both of them are terminal nodes; -   2. For each edge e in f, where e is from a node v₁ to a node v₂,     there is an edge e′ from σ (v₁) to σ (v₂) in f′, and the two edges e     and e′ have the same label.

The algorithm for transforming two ordered FDDs to two semi-isomorphic FDDs uses the following three basic operations. (Note that none of these operations changes the semantics of the FDDs.)

-   1. Node Insertion: If along all the decision paths containing a node     v, there is no node that is labeled with a field F, a node v′     labeled F can be inserted right above v as follows: make all     incoming edges of v point to v′, create one edge from v′ to v, and     label this edge with the domain of F. -   2. Edge Splitting: For an edge e from v₁ to v₂, if I(e)=S₁ ∪ S₂,     where neither S₁ nor S₂ is empty, then e can be split into two edges     as follows: replace e by two edges from v₁ to v₂, label one edge     with S₁ and label the other with S₂. -   3. Subgraph Replication: If a node v has m (m≧2) incoming edges, m     copies of the subgraph rooted at v can be made, and make each     incoming edge of v point to the root of one distinct copy.     FDD Simplification

Before applying the shaping algorithm, presented below, to two ordered FDDs, each is preferably transformed to an equivalent simple FDD, where an FDD is simple if and only if each node in the FDD has at most one incoming edge and each edge in the FDD is labeled with a single interval.

It is straightforward that the two operations of edge splitting and subgraph replication can be applied repetitively to an FDD in order to make this FDD simple. Note that the graph of a simple FDD is an outgoing directed tree. In other words, each node in a simple FDD, except the root, has only one parent node, and has only one incoming edge (from the parent node).

Node Shaping

Next, the procedure for transforming two shapeable nodes to two semi-isomorphic nodes is introduced, which is the basic building block in the shaping algorithm for transforming two ordered FDDs to two semi-isomorphic FDDs. Shapeable nodes and semi-isomorphic nodes are defined as follows.

Definition (Shapeable Nodes) Let f_(a) and f_(b) be two ordered simple FDDs, v_(a) be a node in f_(a) and v_(b) be a node in f_(b). Nodes v_(a) and v_(b) are shapeable if and only if one of the following two conditions holds:

-   1. Both v_(a) and v_(b) have no parents, i.e., they are the roots of     their respective FDDs; -   2. Both v_(a) and v_(b) have parents, their parents have the same     label, and their incoming edges have the same label.

For example, referring to FIG. 6, two nodes F₁ 602-604 in FIG. 6 are shapeable since they have no parents.

Definition (Semi-isomorphic Nodes): Let f_(a) and f_(b) be two ordered simple FDDs, v_(a) be a node in f_(a) and v_(b) be a node in f_(b). The two nodes v_(a) and v_(b) are semi-isomorphic if and only if one of the following two conditions holds:

-   1. Both v_(a) and v_(b) are terminal nodes; -   2. Both v_(a) and v_(b) are nonterminal nodes with the same label     and there exists a one-to-one mapping σ from the children of v_(a)     to the children of v_(b) such that for each child v of v_(a), v and     σ(v) are shapeable.

Given two shapeable nodes v_(a) and v_(b), whose parents have the same label, the process for making two shapeable nodes v_(a) and v_(b) semi-isomorphic includes the following two steps:

-   1. This step is skipped if v_(a) and v_(b) have the same label, or     both of them are terminal nodes. Otherwise, without loss of     generality, assume F(v_(a))<F(v_(b)). In all the decision paths     containing node v_(b), no node is labeled F(v_(a)) because the     parent of v_(a) and the parent of v_(b) have the same label.     Therefore, a new node v′_(b) with label F(v_(a)) can be created, a     new edge with label D(F(v_(a))) from v′_(b) to v_(b) can be created,     and all incoming edges of v_(b) are made to point to v′_(b). Now     v_(a) has the same label as v′_(b). (Recall that this node insertion     operation leaves the semantics of the FDD unchanged.) -   2. From the previous step, v_(a) and v_(b) are assumed to have the     same label. In the current step, the two operations of edge     splitting and subgraph replication are utilized to build a     one-to-one correspondence from the children of v_(a) to the children     of v_(b) such that each child of v_(a) and its corresponding child     of v_(b) are shapeable.

Suppose D(F(v_(a)))=D(F(v_(b)))=[a, b]. Note that each outgoing edge of v_(a) or v_(b) is labeled with a single interval because the two FDDs are simple FDDs. Suppose v_(a) has m outgoing edges {e₁, . . . , e_(m)}, where I(e_(i))=[a_(i), b_(i)], a₁=a, b_(m)=b, and every a_(i+1)=b_(i)+1. Also suppose v_(b) has n outgoing edges {e′₁, . . . , e′_(n)}, where I(e′_(i))=[a′_(i), b′_(i)], a′₁=a, b′_(n)=b, and every a′_(i+1)=b′_(i)+1.

Comparing edge e₁, whose label is [a, b₁], and e′₁, whose label is [a, b′₁], there are only the following two cases:

-   (1) b₁=b′₁: In this case I(e_(i))=I(e′_(i)), therefore, node e₁.t     and node e′₁.t are shapeable. (Recall that e.t is utilized to denote     the node to which edge e points.) Then, e₂ and e′₂ are compared     since both I(e₂) and I(e′₂) begin with b₁+1. -   (2) b₁≠b′₁: Without loss of generality, assume b₁<b′₁. In this case,     split e′_(i) into two edges e and e′, where e is labeled [a, b₁] and     e′ is labeled [b₁+1, b′₁]. Then, make two copies of the subgraph     rooted at e′₁.t and let e and e′ point to one copy each. Thus     I(e₁)=I(e) and the two nodes, e₁.t and e.t are shapeable. Then,     continue to compare the two edges e₂ and e′ since both I(e₂) and     I(e′) begin with b₁+1.

The above process continues until the last outgoing edge of v_(a) and the last outgoing edge of v_(b) are reached. Note that each time a comparison is made between an outgoing edge of v_(a) and an outgoing edge of v_(b), the two intervals labeled on the two edges begin with the same value. Therefore, the last two edges that we compare must have the same label because they both ends with b. In other words, this edge splitting and subgraph replication process will terminate. When it terminates, v_(a) and v_(b) become semi-isomorphic.

In the following pseudocode for making two shapeable nodes in two ordered simple FDDs semi-isomorphic, we use I(e)<I(e′) to indicate that every integer in I(e) is less than every integer in I(e′). Procedure Node_Shaping(f_(a), f_(b), v_(a), v_(b))  Input:Two ordered simple FDDs f_(a) and f_(b),and two shapeable nodes v_(a) in f_(a) and v_(b) in f_(b)  Output: The two nodes v_(a) and v_(b) become semi-isomorphic, and the procedure returns a set S of node pairs of the form(w_(a), w_(b)) where w_(a) is a child of v_(a) in f_(a), w_(b) is a child of v_(b) in f_(b), and the two nodes w_(a) and w_(b) are shapeable.  Steps:  1.  if both v_(a) and v_(b) are terminal, then return(Ø);      else if the condition that both v_(a) and v_(b) are nonterminal and they have the same  label does not hold {      /*Here either both v_(a) and v_(b) are nonterminal and they have different labels, or   one node is terminal and the other is nonterminal. Without loss of generality, assume one   the following conditions holds:      (1) both v_(a) and v_(b) are nonterminal and F(ν_(a)) < F(ν_(b)) ,      (2) v_(a) is a nonterminal node and v_(b) is a terminal node.*/      insert a new mode with label F(v_(a))      above v_(b), and call the new node v_(b);}  2.  let E(ν_(a)) be {e_(a,l),...,e_(a),_(m)}where I(e_(a,l)) <...<I(e_(a,m)) .      let E(ν_(b)) be {e_(b,l),...,e_(b),_(n)} where I(e_(b,l)) <...<I(e_(b,n)) .  3.  i :=1;j :=1;      while ( (i<m) or (j<n) ) do{      /*During this loop, the two intervals I(e_(a,i)) and I(e_(b,j)) always begin with the      same integer.*/      let I(e_(a,i)) = [A,B] and I(e_(b,j)) = [A,C], where A, B, C are three integers;      if B = C then {i := i + 1; j := j + 1;}      else if B<C then{        (a) create an outgoing edge e of v_(b), and label e with [A,B];        (b) make a copy of the subgraph rooted at e_(b,j).t and make e point to the        root of the copy;        (c) I(e_(b,j)) := [B+1,C];        (d) i := i + 1;}      else {/*B > C*/        (a) create an outgoing edge e of v_(a), and label e with [A,C];        (b) make a copy of the subgraph rooted at e_(a,j).t and make e point to the        root of the copy;        (c) I(e_(a,j)) := [C+1,B];        (d) j := j + 1;}  4.  /* Now v_(a) and v_(b) become semi-isomorphic.*/      let E(v_(a)) = { e_(a,l), . . ., e_(a,k)} where I(e_(a,l)) < . . . < I(e_(a,k)) and k ≧ 1;      let E(v_(b)) = { e_(b,l), . . ., e_(b,k)} where I(e_(b,l)) < . . . < I(e_(b,k)) and k ≧ 1;      S := Ø      for i = 1 to k do        add the pair of shapeable nodes (e_(a,j).t, e_(b,j).t) to S;      return(S);   End

If the above node shaping procedure is applied to the two shapeable nodes F₁ 602-604 in FIG. 6, the resulting two semi-isomorphic nodes are shown in FIG. 7.

FDD Shaping

To make two ordered FDDs f_(a) and f_(b) semi-isomorphic, first f_(a) and f_(b) are simplified, then f_(a) and f_(b) are made semi-isomorphic as follows. Suppose a queue Q is initially empty. At first the pair of shapeable nodes consisting of the root of f_(a) and the root of f_(b) are placed into Q. As long as Q is not empty, the head of Q is removed, and the two shapeable nodes are fed to the above Node Shaping procedure. Then all the pairs of shapeable nodes returned by the Node Shaping procedure are placed into Q. When the algorithm finishes, f_(a) and f_(b) become semi-isomorphic. The pseudocode for this shaping algorithm is as follows: Shaping Algorithm Input: Two ordered FDDs f_(a) and f_(b) Output: f_(a) and f_(b) are semi-isomorphic Steps: 1.  make the two FDDs f_(a) and f_(b) simple; 2.  Q := Ø 3.  add the shapeable pair (root of f_(a), root of f_(b)) to Q; 4.  while Q ≠ Ø do {     remove the header pair (v_(a), v_(b)) from Q;     S := Node_Shaping (f_(a), f_(b), v_(a), v_(b));     add every shapeable pair from S into Q;     } End

As an example, applying the above shaping algorithm to the two FDDs in FIGS. 2 and 6, two semi-isomorphic FDDs are obtained. One of those FDDs is shown in FIG. 8, and the other is identical to that of in FIG. 8 with one exception, namely, the “a” or “d” labels of the black terminal nodes are reversed.

Comparison Algorithm

The comparison algorithm is utilized to compare two semi-isomorphic FDDs. Given two semi-isomorphic FDDs f and f′ with a one-to-one mapping σ, each decision path (v₁e_(1 . . . v) _(k)e_(k)v_(k+1)) in f has a corresponding decision path (σ(v₁) σ (e₁) . . . σ (v_(k)) σ (e_(k)) σ (v_(k+1))) in f′. Similarly, each rule (F(v₁) ∈ I(e₁))

. . .

(F(v_(k))∈ I(e_(k)))→F(v_(k+1)) in S_(f) has a corresponding rule (F(σ (v₁)) ∈ I(σ (e₁)))

. . .

(F(σ (v_(k))) ∈ I(σ(e_(k))))→F(σ(v_(k+1))) in S_(f′). Note that F(v_(i))=F(σ (v_(i))) and I(e_(i))=I(σ (e_(i))) for each i where 1≦i≦k. Therefore, for each rule (F(v₁) ∈ I(e₁))

. . .

(F(v_(k))∈ I(e_(k)))→F(v_(k+1)) in S_(f), the corresponding rule in S_(f′) is (F(v₁) ∈ I(e₁))

. . .

(F(v_(k))∈ I(e_(k)))→F(σ (v_(k+1))). Each of these two rules is called the companion of the other. This companionship implies a one-to-one mapping from the rules defined by the decision paths in f to the rules defined by the decision paths in f′. Note that for each rule and its companion, either they are identical, or they have the same predicate but different decisions. Therefore, S_(f)-S_(f′) is the set of all the rules in S_(f) that have different decisions from their companions. Similarly for S_(f′)-S_(f). Note that the set of all the companions of the rules in S_(f′)-S_(f) is S_(f)-S_(f′) and similarly the set of all the companions of the rules in S_(f)- S_(f′) is S_(f′)-S_(f). Since these two sets manifest the discrepancies between the two FDDs, the two design teams can investigate them to resolve the discrepancies.

Let f be FDD 900 in FIG. 9, and let f′ be a FDD that is identical to f with one exception, namely the labels of the black terminal nodes are reversed. Here f is equivalent to the firewall in FIG. 3 designed by Team A, and f′ is equivalent to the firewall in FIG. 4 designed by Team B. By comparing f and f′ the following discrepancies between the two firewalls designed by Team A and Team B are discovered:

-   1. (I ∈ {0})     (S ∈ [α,β])     (D ∈ {γ})     (N ∈ {25})     (P ∈ {0})→d in f_(a)/a in f_(b)

Question to investigate: Should computers from the malicious domain send email to the mail server? Team A indicates “no”, while Team B “indicates “yes”.

-   2. (I ∈ {0})     (S ∈ [0, α−1] ∪ [β+1,2³²))     (D ∈ {γ})     (N ∈ {25})     (P ∈ {1})     →d in f_(a)/a in f_(b)

Question to investigate: Should UDP packets sent from the hosts who are not in the malicious domain be allowed to the mail server? Team A indicates “no”, while Team B indicates “yes”.

-   3. (I ∈ {0})     (S ∈ [0,α−1] ∪ [β+1,2³²))     (D ∈ {γ})     (N ∈ [0,24] ∪ [26,2¹⁶)     (P ∈ all)     →d in f_(a)/a in f_(b)

Question to investigate: Should we allow the packets with a port number other than 25 be sent from the hosts who are not in the malicious domain to the mail server? Team A says no, while Team B says yes.

FIG. 9A is a high-level logical flowchart diagram illustrating an exemplary method for implementing diverse firewall design according to a preferred embodiment of the present invention. The process begins at step 900 and proceeds to step 902, which depicts the distribution of a firewall specification to at least two design teams. The process continues to step 904, which illustrates firewall design manager 160 receiving at least two firewall designs from the at least two design teams. The process continues to step 906, which depicts firewall design manager 160 computing functional discrepancies between the at least two firewall designs (discussed herein in more detail in conjunction with FIG. 9B). The process proceeds to step 908, which illustrates firewall design manager 160 resolving discrepancies between multiple firewall designs. The process ends, as depicted in step 910.

FIG. 9B is a high-level logical flowchart diagram depicting an exemplary method for computing functional discrepancies between at least two firewall designs according to a preferred embodiment of the present invention. The process begins at step 912 and proceeds to step 914, which illustrates firewall design manager 160 receiving at least two firewall designs from firewall design teams. The received firewalls are expressed as either a firewall decision diagram or a sequence of rules.

The process continues to step 916, which illustrates firewall design manager 160 determining if any of the received firewall designs is expressed as a non-ordered firewall decision diagrams. If any of the received firewall designs is expressed as a non-ordered firewall decision diagrams, the process continues to step 920, which illustrates firewall design manager 160 transforming each non-ordered firewall decision diagram into a sequence of rules.

The process continues to step 922, which illustrates firewall design manager 160 constructing an equivalent ordered firewall decision diagram from each sequence of rules. Firewall design manger 160 transforms each firewall decision diagram to an equivalent simple firewall decision diagram (step 924). The process proceeds to step 926, which depicts firewall design manager 160 transforming all firewall decision diagrams to semi-isomorphic firewall decision diagrams. The process continues to step 928, which illustrates firewall design manager 160 computing discrepancies between the semi-isomorphic firewall decision diagrams. The process then ends, as illustrated in step 930.

Returning to step 916, if firewall design manager 160 determines that no firewall design is expressed as a non-ordered firewall decision diagram, the process continues to step 918, which illustrates firewall design manager 160 determining if at least one firewall design is expressed as a sequence of rules. If at least one firewall design is expressed as a sequence of rules, the process continues to step 922 and proceeds in an iterative fashion. If no firewall design is expressed as a sequence of rules, the process continues to step 924 and proceeds in an iterative fashion.

Those with skill in this art will appreciate that the present invention may be applied to many systems where a system can be represented by a sequence of rules. Examples of such systems are rule-based systems in the area of artificial intelligence and access control in the area of databases.

As discussed, the present invention includes a system, computer-implementable method, and computer-usable medium for resolving discrepancies between diverse firewall designs. In a preferred embodiment of the present invention, a firewall design manager receives at least two designs for a rule-based system and computing at least one functional discrepancy between the at least two designs utilizing decision diagrams.

It should be understood that at least some aspects of the present invention may alternatively be implemented in a computer-usable medium that contains a program product. Programs defining functions in the present invention can be delivered to a data storage system or a computer system via a variety of signal-bearing media, which include, without limitation, non-writable storage media (e.g., CD-ROM), writable storage media (e.g., hard disk drive, read/write CD-ROM, optical media), system memory such as, but not limited to Random Access Memory (RAM), and communication media, such as computer and telephone networks including Ethernet, the Internet, wireless networks, and like network systems. It should be understood, therefore, that such signal-bearing media when carrying or encoding computer-readable instructions that direct method functions in the present invention represent alternative embodiments of the present invention. Further, it is understood that the present invention may be implemented by a system having means in the form of hardware, software, or a combination of software and hardware as described herein or their equivalent.

While the present invention has been particularly shown and described with reference to a preferred embodiment, it will be understood by those skilled in the art that various changes in form and detail may be made therein without departing from the spirit and scope of the invention. Furthermore, as used in the specification and the appended claims, the term “computer” or “system” or “computer system” or “computing device” includes any data processing system include, but not limited to, personal computers, servers, workstations, network computers, main frame computers, routers, switches, Personal Digital Assistants (PDAs), telephones, and any other system capable of processing, transmitting, receiving, capturing, and/or storing data. 

1. A computer-implementable method comprising: receiving at least two designs for a rule-based system; and computing at least one functional discrepancy between said at least two designs utilizing decision diagrams.
 2. The computer-implementable method according to claim 1, wherein said computing further comprises: transforming said at least two designs into at least two ordered decision diagrams; transforming said at least two ordered decision diagrams into at least two equivalent simple decision diagrams; and transforming said at least two simple decision diagrams into at least two semi-isomorphic decision diagrams.
 3. The computer-implementable method according to claim 1, wherein said computing further comprises: in response to determining said at least one design is expressed as a non-ordered decision diagram, transforming said at least one design into a sequence of rules.
 4. The computer-implementable method according to claim 1, wherein said computing further comprises: in response to determining at least one design is expressed as a sequence of rules, constructing an equivalent ordered decision diagram from said sequence of rules.
 5. The computer-implementable method according to claim 1, wherein said computing further comprises: in response to determining at least one design is expressed as a non-ordered decision diagram, transforming said non-ordered decision diagram into a sequence of rules.
 6. The computer-implementable method according to claim 1, wherein said at least two designs are based on a specification.
 7. A system comprising: a processor; a databus coupled to said processor; and a computer-usable medium embodying computer program code, said computer-usable medium being coupled to said databus, said computer program code comprising instructions executable by said processor and configured for: receiving at least two designs for a rule-based system; and computing at least one functional discrepancy between said at least two designs utilizing decision diagrams.
 8. The system according to claim 7, wherein said instructions for computing at least one functional discrepancy are further configured for: transforming said at least two designs into at least two ordered decision diagrams; transforming said at least two ordered decision diagrams into at least two equivalent simple decision diagrams; and transforming said at least two simple decision diagrams into at least two semi-isomorphic decision diagrams.
 9. The system according to claim 7, wherein said instructions for computing at least one functional discrepancy are further configured for: in response to determining said at least one design is expressed as a non-ordered decision diagram, transforming said at least one design into a sequence of rules.
 10. The system according to claim 7, wherein said instructions for computing at least one functional discrepancy are further configured for: in response to determining at least one design is expressed as a sequence of rules, constructing an equivalent ordered decision diagram from said sequence of rules.
 11. The system according to claim 7, wherein said instructions for computing at least one functional discrepancy are further configured for: in response to determining at least one design is expressed as a non-ordered firewall decision diagram, transforming said non-ordered decision diagram into a sequence of rules.
 12. The system according to claim 7, wherein said at least two designs are based on a specification.
 13. A computer-usable medium embodying computer program code, said computer program code comprising computer-executable instructions configured for: receiving at least two designs for a rule-based system; and computing at least one functional discrepancy between said at least two designs utilizing decision diagrams.
 14. The computer-usable medium embodying computer program code according to claim 13, wherein said computer program code comprising computer-executable instructions for computing at least one functional discrepancy are further configured for: transforming said at least two designs into at least two ordered decision diagrams; transforming said at least two ordered decision diagrams into at least two equivalent simple decision diagrams; and transforming said at least two simple decision diagrams into at least two semi-isomorphic decision diagrams.
 15. The computer-usable medium embodying computer program code according to claim 13, wherein said computer program code comprising computer-executable instructions for computing at least one functional discrepancy are further configured for: in response to determining said at least one design is expressed as a non-ordered decision diagram, transforming said at least one design into a sequence of rules.
 16. The computer-usable medium embodying computer program code according to claim 13, wherein said computer program code comprising computer-executable instructions for computing at least one functional discrepancy are further configured for: in response to determining at least one design is expressed as a sequence of rules, constructing an equivalent ordered decision diagram from said sequence of rules.
 17. The computer-usable medium embodying computer program code according to claim 13, wherein said computer program code comprising computer-executable instructions for computing at least one functional discrepancy are further configured for: in response to determining at least one design is expressed as a non-ordered firewall decision diagram, transforming said non-ordered decision diagram into a sequence of rules.
 18. The computer-usable medium embodying computer program code according to claim 12, wherein said at least two designs are based on a specification. 